> On Jan 15, 2017, at 8:45 PM, Ira McDonald <blueroofmusic at gmail.com> wrote:
>> Hi Mike,
>> You are suggesting this new Get-User-Printer-Attributes operation
> does NOT require authentication and authorization of the Client?
No, I am suggesting that this new operation *may* not require Client authentication, depending on the configuration of the Printer, just as Cancel-Job, Cancel-All-Jobs, Cancel-My-Jobs, Create-Job, Get-Job-Attributes, Get-Jobs, Print-Job, Print-URI, Send-Document, Send-URI, and Validate-Job do.
FWIW, Get-Printer-Attributes is basically the only operation in IPP/1.1 (RFC 2911/8011) that does not say anything about authentication, the most authenticated identity, authorization rights, or filtering of attributes or values based on the most authenticated identity. And that makes it impossible to add authentication requirements without breaking a lot of (read: all) Clients.
> If that's right, what value does this operation offer over the classic
> Get-Printer-Attributes (with perhaps an "ipp-features-supported"
> tag that says it supports User-based filtering)?
It makes it consistent with the Job operations.
> My reading of original RFC 2911 was that *any* operation could do
> filtering based on the requesting user (i.e., Get-Jobs).
No, there is discussion of authentication and the most authenticated user/identity, but specific requirements and filtering are discussed in the description of each operation. In particular, Get-Jobs and Get-Job-Attributes talk about filtering based on security policy, while Get-Printer-Attributes only talks about filtering based on document format (and basically says everyone gets to see the same information).
This is arguably a bug in the original IPP specs, but there is nothing we can do to fix Get-Printer-Attributes now.
(but there are advantages to having a public/guest "get" operation for discovering what a Printer will require, e.g., "uri-authentication-supported" values...)
Michael Sweet, Senior Printing System Engineer